Description of problem:
The cluster-role prometheus-operator assigned to prometheus-operator service account has all (*) privileges over customresourcedefinition resources.
A quick review of the code doesn't justify this excessive permission level, which could be a security issue if the token of the service account is used to manage any of the defined customresourcedefinitions by editing them or deleting them.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Get the token of the service account:
$ oc describe sa -n openshift-monitoring prometheus-operator
$ oc get token -n openshift-monitoring -o yaml <token>
$ token=$( echo <token> | base64 -d )
2. Delete any CRD, using oauths.config.openshift.io as an example:
$ oc --token=$token delete crd oauths.config.openshift.io
The OAuth CRD is deleted
The service account shouldn't be able to delete CRDs that aren't under its management.
CRD are objects which require special consideration and the permission over them should be scoped to the required verbs.
This is still the same in OpenShift 4.3, hence setting the release to it: https://github.com/openshift/cluster-monitoring-operator/blob/release-4.3/assets/prometheus-operator/cluster-role.yaml
Created attachment 1657289 [details]
prometheus-operator cluster-role file
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.